Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking the Box (Joseph Sheridan)

Hacking the Box (Joseph Sheridan)

Speaker: Joseph Sheridan (http://goo.gl/9cMJ8)
Slides by Chris Cooper and Joseph Sheridan.

Penetration tester and ethical hacker Joseph Sheridan takes you through some of the day-to-day hacks utilised during a security engagement.

Presented at #Digibury 007.


Chris Cooper

July 11, 2012

More Decks by Chris Cooper

Other Decks in Technology


  1. hacking the

  2. joe@reactionis.co.uk Joseph Sheridan Started Reaction in 2009 Locally based CESG

    CHECK registered
  3. penetration testing aka ethical hacking, pentesting, white hat hacking etc…

    introduction What is penetration testing? What will be covered today?
  4. penetration testing aka ethical hacking, pentesting, white hat hacking etc…

    Services • Network infrastructure • Web apps • Host build reviews • Wireless networks • Database security
  5. HACKING MAINFRAME THE testing network infrastructure

  6. domain admin in under 30mins guess passwords the easy way

    in? < this actually happens password policy
  7. the easy way in? the awful passwords we find: Blank

    • SQL Server • Gary McKinnon blank root pentagon Password01 Company name Football team Swear words Their own username
  8. more easiness look for unpatched servers e.g. how about an

    internet-facing host with no firewall and missing critical security patches MS04-011 MS06-040 MS08-067 MS09-050 / LSASS / Canonicalisation / Netapi / Negotiate Function Table
  9. MS09-050 owned over the internet

  10. password cracking dictionary attack brute-force rainbow tables

  11. None
  12. sharing != caring when you have found a password for…

    oh, say a local administrator account chances of another account having the same password = HIGH
  13. HACKING INTERNET THE testing web applications

  14. user enumeration knowing a list of users makes brute-forcing significantly

  15. None
  16. stale cookies a user’s account is session only as secure

    as his token
  17. stale cookies e.g. once upon a time, we found the

    following session token… MDEzODM0MDg4NzM= which translates from Base64 to… 0 1 3 8 3 4 0 8 8 7 3 always zero random sequential (every login) get any active session by enumerating through 9999 values (approx 10mins in this case)
  18. None
  19. xss <p>No results found for <?=$_GET[“search"]?></p> http://mysite.com/?search=

  20. xss <p>No results found for <?=$_GET[“search"]?></p> http://mysite.com/?search= payload: <script>alert(‘xsstest’)</script>

  21. xss <p>No results found for <?=$_GET[“search"]?></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

  22. xss <p>No results found for <script>alert(‘xsstest’) </script></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

  23. xss <p>No results found for <script>alert(‘xsstest’) </script></p> script>alert(‘xsstest’)</script> payload: <script>alert(‘xsstest’)</script>

    xsstest Alert!
  24. SQLi Enter your username and password: Go! $query = “SELECT

    id FROM users WHERE uname=‘ ’ “ . $username . “ AND pword=‘ “ . $password . “ ’” joebloggs *********
  25. SQLi joebloggs Enter your username and password: Go! $query =

    “SELECT id FROM users WHERE uname=‘ ’ ********* joebloggs AND pword=‘ ‘ OR 1=1# ’”
  26. SQLi joebloggs Enter your username and password: Go! $query =

    “SELECT id FROM users WHERE uname=‘joebloggs’ ********* AND pword=‘‘ OR 1=1#’”
  27. blind SQLi ‘ and if(substring((SELECT pword FROM users WHERE uname='admin‘),

    1, 1)=‘a’, benchmark(500000, MD5(‘!’)), 0)
  28. blind SQLi

  29. HACKING PEOPLE social engineering

  30. phishing From: Company IT Helpdesk <noreply@company.com> To: Fred Jones <fj173@company.com>

    Subject: IT Helpdesk Important Information – Action Required Dear Fred, We have detected suspicious activity relating to your Company account. As a precaution, we require you to verify your details using the password management system. Failure to do so may result in revocation of your user rights. Please copy and paste the following URL into your browser: http://security.company.com/pm/?verify=982364925874578955 IT Dept. Company helpdesk@company.com This email and any files transmitted with it are confidential and are intended solely for the use of the individual to whom they are addressed. If you are not the intended recipient please notify the sender. Any unauthorised dissemination or copying of this email or its attachments and any use or disclosure of any information contained in them, is strictly prohibited. Please consider the environment before printing this email.
  31. phishing users were directed to a mirrored login on our

    server how many fell for it? 9 /60
  32. USB drop could be preloaded with malware or spawn outgoing

    connections leave them lying around / curiosity hand them in to receptionist / helpfulness
  33. EXPLOITS: researching software vulnerabilities THE MAKING OF

  34. buffer overflows ScriptFu console

  35. None
  36. buffer overflows

  37. overflows buffer • return address • shellcode exploit contains:

  38. THE joe@reactionis.co.uk reaction information security, canterbury